Login
Forgotten Password?

Privacy Policy

Privacy Notice

The Radiology Academy

Last updated: 13 April 2026  |  Version 2.2

 

Who we are

This Privacy Notice explains how The Radiology Academy Ltd collects, uses, and protects your personal information when you visit theradiologyacademy.com, create an account, take out a subscription, or contact us.

The Radiology Academy is an online learning platform that helps radiology trainees prepare for the FRCR examinations. It is operated by The Radiology Academy Ltd, a company registered in England and Wales.

Our details

  • Company name: The Radiology Academy Ltd
  • Companies House number: 12768615
  • Registered office: 2nd Floor, Parkgates, Bury New Road, Prestwich, M25 0TL, United Kingdom
  • ICO registration number: ZB621582
  • Contact email: info@theradiologyacademy.com

The Radiology Academy Ltd is the data controller for the personal information described in this notice. This means we are responsible for deciding how and why your personal information is used.

Because we are a small organisation, we are not legally required to appoint a Data Protection Officer. The Director of The Radiology Academy Ltd, Dr Yiannis Skarparis, is responsible for data protection matters and can be contacted at info@theradiologyacademy.com.

The information we collect about you

We only collect the information we need to run our service and meet our legal obligations. We do not collect any health information, patient information, or special category data. Our users are healthcare professionals and trainees who use our platform for educational purposes.

When you create an account

To register for an account on theradiologyacademy.com we ask you to provide:

  • Your name
  • Your email address
  • A password (which we store as a secure cryptographic hash, never as plain text)
  • Your country
  • Your professional grade or training level (for example, ST1, SpR, Consultant)

As you use the platform we also automatically record:

  • Your subscription status and history
  • Your learning progress (for example, which questions you have attempted and your scores)
  • Login dates and times

When you take out a subscription

Payments are processed by Stripe, our payment provider. We do not see, store, or have access to your full card number. Stripe collects and processes your payment data on our behalf and provides us with:

  • Your name and billing country
  • The last four digits of your card and the card brand
  • A record of your transactions and subscription status

Stripe is independently responsible for the security of the raw card data and is certified to PCI-DSS Level 1, the highest standard for payment processors.

When you contact us

If you email us, fill in the contact form, or otherwise get in touch, we collect the information you choose to share with us, including your name, email address, and the content of your message. We use Google Workspace (Gmail) for our email.

When you visit our website

We use Google Analytics 4 to understand how visitors use theradiologyacademy.com so that we can improve the service. Google Analytics records:

  • Your IP address (anonymised by Google before it is stored)
  • Your browser type and operating system
  • The pages you visit and how long you spend on them
  • The website that referred you to us, if any

We do not use Google Analytics to identify you personally and we do not combine analytics data with your account.

We use a small number of cookies to make the website work, to keep you signed in to your account, and to support analytics. You can control cookies through your browser settings.

Why we use your information and our lawful bases

Under the UK General Data Protection Regulation (UK GDPR), we must have a lawful reason every time we use your personal information. The table below explains what we do with your information and the legal basis we rely on.

Running your account and providing the service

  • What we do: Create and manage your account, authenticate logins, deliver the question bank, track your learning progress, manage your subscription.
  • Lawful basis: Article 6(1)(b) — performance of a contract. We need to use your information to deliver the service you have signed up for.

Processing payments

  • What we do: Take payment for subscriptions, manage billing, issue refunds where appropriate.
  • Lawful basis: Article 6(1)(b) — performance of a contract.

Replying to your enquiries

  • What we do: Respond to questions, provide technical support, handle account issues.
  • Lawful basis: Article 6(1)(b) — performance of a contract (for existing customers); Article 6(1)(f) — legitimate interests (for prospective customers and general enquiries, where it is in our and your interests for us to respond).

Keeping accounting and tax records

  • What we do: Maintain financial records and submit accounts and tax returns to HMRC and Companies House.
  • Lawful basis: Article 6(1)(c) — legal obligation under the Companies Act 2006 and UK tax law.

Improving the service

  • What we do: Use website analytics to understand how the platform is used and to improve it.
  • Lawful basis: Article 6(1)(f) — legitimate interests. We have a legitimate interest in understanding how our platform is used so that we can improve it. We balance this against your privacy by anonymising IP addresses and not combining analytics data with personal accounts.

How long we keep your information

We keep your personal information only for as long as we need it. Our standard retention periods are:

  • Active subscriber accounts: for the duration of your subscription, plus 12 months after your subscription ends, in case you choose to return.
  • Inactive accounts: deleted after 24 months without activity.
  • Payment and accounting records: 7 years from the end of the relevant accounting period, as required by HMRC.
  • Email correspondence: up to 36 months from the date of last contact.
  • Website analytics: rolling 14 months in Google Analytics 4.
  • Records of data subject rights requests: 3 years from completion.

You can ask us to delete your account and personal information at any time. See "Your rights" below.

Who we share your information with

We do not sell your personal information and we do not share it with anyone for marketing purposes.

We do share your information with a small number of carefully chosen service providers (sometimes called "sub-processors") that help us run The Radiology Academy. Each one is bound by a contract that requires them to protect your information and only use it on our instructions.

Our service providers

  • Stripe Payments Europe Ltd: processes all subscription payments. Stripe is also a controller of raw card data in its own right and is certified to PCI-DSS Level 1. Stripe's privacy notice is at stripe.com/privacy.
  • Hetzner Online GmbH (hosting): we host theradiologyacademy.com and our account database on a Hetzner Cloud Virtual Private Server in Helsinki, Finland. Hetzner is a major European hosting provider headquartered in Germany. Finland is in the European Economic Area, which the UK government recognises as providing equivalent data protection.
  • Novate Ltd (development and operations partner): Novate Ltd is our current development and operations partner, based in the United Kingdom. Novate manages our hosting and backup infrastructure and processes subscriber personal data on our behalf as a data processor under a Data Processing Agreement. This arrangement is transitional; ownership of our hosting and backup infrastructure will be transferred directly to The Radiology Academy Ltd in due course, at which point this notice will be updated.
  • Amazon Web Services (AWS, sub-processor): Used by Novate Ltd to provide encrypted backup storage for our database. Backups are stored in an AWS S3 bucket in the eu-west-2 region (London, United Kingdom). All backups are encrypted at rest using AWS server-side encryption (AES-256). AWS is a sub-processor under our agreement with Novate.
  • Google Workspace (Google Ireland Ltd / Google LLC): provides our business email through Gmail.
  • Google Analytics 4 (Google Ireland Ltd / Google LLC): provides anonymised website analytics.
  • Haffner Hoff: our external accountants, who maintain our statutory accounts, VAT records, and corporation tax records.
  • HMRC and Companies House: we are required by law to share certain financial and corporate information with HMRC and Companies House.

International transfers

Most of your information stays within the United Kingdom or the European Economic Area (EEA). The UK government recognises EEA countries as providing equivalent data protection, so transfers from the UK to the EEA do not require additional safeguards.

Where any of our service providers process data outside the UK or EEA, we make sure that one of the following safeguards is in place:

  • Hetzner (hosting): your account data and our database are held on servers in Helsinki, Finland (EEA). No additional safeguards required.
  • AWS S3 (backups, via Novate): encrypted backups are stored in eu-west-2 (London, United Kingdom). No international transfer.
  • Stripe: processes data in the European Economic Area for European customers. Where Stripe transfers data to the United States, the transfer is covered by the European Commission's Standard Contractual Clauses and the EU-US Data Privacy Framework.
  • Google Workspace and Google Analytics: Google processes data in its global infrastructure. Transfers to the United States are covered by the European Commission's Standard Contractual Clauses and the EU-US Data Privacy Framework.
  • Haffner Hoff and HMRC: process data within the United Kingdom only.

Your rights

Under the UK GDPR you have a number of rights regarding the personal information we hold about you. These rights are free to exercise. We will respond to any request within one calendar month.

  • Right of access (Article 15): you can ask us for a copy of the personal information we hold about you.
  • Right to rectification (Article 16): you can ask us to correct any information that is wrong or incomplete.
  • Right to erasure (Article 17): you can ask us to delete your personal information, sometimes called the "right to be forgotten". We may need to keep some information for legal reasons (for example, tax records).
  • Right to restriction (Article 18): you can ask us to stop using your information in certain circumstances.
  • Right to data portability (Article 20): you can ask us to give you a copy of the information you have given us, in a format that lets you move it to another service.
  • Right to object (Article 21): you can object to us using your information based on our legitimate interests.
  • Right to withdraw consent: where we rely on your consent (for example, for marketing emails), you can withdraw it at any time.

To exercise any of these rights, please email us at info@theradiologyacademy.com. We may need to verify your identity before we can act on your request, to protect your information from being disclosed to the wrong person.

Right to complain to the ICO

If you are unhappy with how we have handled your personal information, you have the right to complain to the Information Commissioner's Office (ICO), the UK's data protection regulator. We would, of course, prefer you to contact us first so that we have a chance to put things right.

  • ICO website: ico.org.uk
  • ICO helpline: 0303 123 1113
  • ICO post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

How we keep your information safe

We take the security of your personal information seriously and use a combination of technical and organisational measures to protect it. These include:

  • Encryption of all data in transit between your device and our servers using TLS (HTTPS)
  • Encryption of personal data at rest on our servers
  • Storing passwords as bcrypt cryptographic hashes, never as plain text
  • Strict access controls so that only authorised people can access the systems holding your information
  • Multi-factor authentication on administrative accounts
  • Regular software updates and security patches
  • Encrypted backups so that we can recover your data if something goes wrong

No system can be guaranteed to be 100% secure. If we ever became aware of a personal data breach affecting your information, we would assess it promptly and notify the ICO and you where required to do so by law.

Children

The Radiology Academy is intended for use by qualified healthcare professionals and trainee doctors. It is not intended for, and we do not knowingly collect personal information from, children under the age of 16. If you believe a child has provided us with personal information, please contact us and we will delete it.

Changes to this notice

We may update this Privacy Notice from time to time, for example if we change how we use information or if there are changes to data protection law. When we make significant changes we will let you know by email or with a notice on the website. The date at the top of this notice always shows when it was last updated.

Previous versions of this notice are available on request.

Contact us

If you have any questions about this Privacy Notice, or about how we use your personal information, please get in touch:

  • Email: info@theradiologyacademy.com
  • Post: The Radiology Academy Ltd, 2nd Floor, Parkgates, Bury New Road, Prestwich, M25 0TL, United Kingdom

 

 

This Privacy Notice was reviewed and approved by the Director of The Radiology Academy Ltd on 13 April 2026. It will be reviewed at least annually, or sooner if there are material changes to our processing.

 

© 2026 The Radiology Academy. All Rights Reserved
Privacy Policy T & C FAQs About us Contact us